IMPROVED STRONGLY DENIABLE AUTHENTICATED KEY … Strongly Deniab… · Two new efficient key...
Transcript of IMPROVED STRONGLY DENIABLE AUTHENTICATED KEY … Strongly Deniab… · Two new efficient key...
IMPROVED STRONGLY DENIABLE AUTHENTICATED KEY EXCHANGES FOR
SECURE MESSAGING
Nik Ungerand
Ian Goldberg
2
Secure Messaging
3
Secure MessagingC
on
fid
en
tiali
ty
Authentication
Plaintext
TLS to Server
End-toEnd Zone
“All-Verifier”AuthenticationAnonymous Deniable
Authentication(OTR, Signal)
4
Why Deniability?
5
Deniable Messaging
A B
<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones
CryptoMagic
6
Deniable Messaging
<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones
7
Deniable Messaging…?
A B
8
Offline vs. Online Deniability
A B
<B> there’s a protest about it tomorrow<B> want to go?<A> Yes!<B> ok, no phones
CryptoMagic
A B
Offline Deniability
Online Deniability
9
Deniable Messaging…?
● See Appendix A– Attacks on OTRv3 and Signal
● Also see ia.cr/2018/424:
10
Deniable Messaging
A B
11
Deniable Messaging
A B
12
In This Paper
● Two new efficient key exchange protocols
Interactive Non-interactive
13
Security Properties
● Confidentiality● Mutual authentication● Forward secrecy● Contributiveness● Offline and online deniability
14
Crypto Toolbox
Identity key(long-term asymmetric)
Ephemeral key(short-term asymmetric)
Diffie-Hellmanshared secret
Shared session key(symmetric)
15
Crypto Toolbox
IDkey
Eph.key
Diffie-Hellmanshared secret
Signature
MAC
Ring signature
Create: need privateVerify: need public
Create: need Verify: need
Create: need one private , , orVerify: need all public , , and
Sym.key
16
Crypto Toolbox
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
17
Deniable Authenticated Key Exchanges
A BDAKE
Secure messagingprotocol
18
DAKEZ
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
19
DAKEZ: Authentication
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
Nobody elseknows
or ,so they know
20
B
DAKEZ: Authentication
A
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
Nobody elseknows
or ,so they know
21
DAKEZ: Offline Deniability
F F
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
22
DAKEZ: Online Deniability
A
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
AB
23
Mobile?
24
Mobile Use
A B
“Prekeys” Recipient ID
Message
Message
25
ZDH
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
&
26
ZDH: Authentication
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
&
Nobody elseknows
so any readermust know
27
Weak Forward Secrecy
A B
(Ciphertext for & )
Collect
(Time passes)
(Like Signal, originally)
28
XZDH
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
& &
29
Is This Secure?
30
Is This Secure?
“Yes.”
31
OTRv4 Adoption
● External adoption: OTRv4 team
32
Performance
SIGMA-R(OTRv3)
DAKEZ(OTRv4)
3DH ZDHX3DH
(Signal)XZDH
(OTRv4)
Key Gen.(ms)
0.0240 0.0440 0.0228 0.0429 0.0240 0.0444
Key Exch.(ms)
0.3478 1.094 0.4229 0.778 0.5533 0.9217
ID Key(bytes)
32 32 32 32 32 32
Prekey(bytes)
- - 32 32 32 & 96 32 & 96
Key Exch.(bytes)
272 464 80 304 80 304
33
Extras in the Paper
34
Extras in the Paper
Quantum- resistanttransitional security
A
B
Efficient dual-receiverencryption
A “B”Defeatingkey-compromiseimpersonation
Implementationdetails & advice
35
Summary
● New key exchanges: DAKEZ, (X)ZDH● Secure connection, eponymous, no all-verifier
authentication required? Use these!● Code & data: crysp.org/software/dakez_xzdh● Come see OTRv4 at HotPETs● Coming soon: group messaging
Thank [email protected]
36
You’ve Activated My Bonus Slides!!!
37
Limited Online Deniability
A B
“Prekeys” Recipient ID
, Auth, Msg
Auth with
, Auth, Msg
38
RSDAKE and Spawn
● Standard model Random oracle model→ Random oracle model– Obscure assumptions common assumptions→ Random oracle model– Seconds milliseconds→ Random oracle model– Improved security (contributiveness, forward
secrecy)
● RSDAKE DAKEZ→ Random oracle model● Spawn ZDH→ Random oracle model
39
DAKE Comparison
40
Signal Deniability
IKA IKB
EKA EKB
1
2
1
3
IKA IKB
EKA SPKB
OTKB
1
2
1
3
4
3DH X3DH
41
Lack of Contributiveness
● Problems with non-contributory:– Can coerce a client to use a known secret– Can use a secret known to a third-party, allowing
them to decrypt without their consent
● Non-problems with non-contributory:– Contributiveness does not prevent desirable bits– Contributiveness does not defend against weak
PRNGs
42
ZDH
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
&
43
ZDH: Authentication
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
&
Nobody elseknows
or ,so they know .
They also know
44
Mitigating KCI Attacks
A B
Shared key ( ):
Diffie-Hellmanshared secret
Signature MAC
Ringsignature
IDkey
Eph.key
Sym.key
45
Online Deniability Attack for Signal
● (Alice is coerced by Judson)● Alice downloads Bob’s prekey: IKB, SPKB,
Sig(IKB, Encode(SPKB))
● Judson generates key pair with public EKA
● Alice provably reveals DH(IKA, SPKA)
● Alice sends EKA to Bob● Judson can compute the secret, Alice cannot
46
Quantum Transitional Security
● Authenticate quantum KEM, like CECPK1
47
DAKEZ
48
ZDH & XZDH